Re: [Fedora-directory-users] ssl certificate problem
by Paolo Ercolani
Paolo Ercolani wrote:
Hi. I'm new to this list and it's a week i'm really fighting with
directory server. I followed some howtos, i downloaded a lot of
documents but i can't get out of trouble. I need to make login from
my linux boxes on ldap directory server. If i try to use my test
user in clear mode i can do that. The problem is when i try to
configure a self-signed certificate. I'll not describe all the tests
i've done, i'll tell you just the last!! I created my cacert.pem on
the ldapserver and i installed from the console. It goes and it's
ok. Then i used openssl to generate a private key and a certificate
request then i signed it. That's what i did:
openssl genrsa -out privkey.pem 2048
openssl req -new -key privkey.pem -out PEM.csr
openssl ca -cert cacert.pem -in PEM.csr -out cert.pem
I copied cacert.pem, privkey.pem and cert.pem on the client and i
configured ldap.conf on it:
URI ldaps://<ldapserver>:636
BASE ou=UTENTI,o=postel,c=com
host kingu.postel.com
TLS_REQCERT allow
TLS_CHECKPEER yes
TLS_CACERTDIR /etc/ssl
TLS_CACERT /etc/ssl/cacert.pem
TLS_CERT /etc/ssl/cert.pem
TLS_KEY /etc/ssl/privkey.pem
I activated ssl on my ldap server and i installed my cacert.pem on
it. i didn't anything else. I tried also to generate a certificate
request from directory server and to sign it with my cacert.pem.
Then i imported it like my server-cert. It imported it but login
still didn't go.
>I'm unclear on this last step. What do you mean by login still didn't
go? Because the access log excerpt below >would seem to indicate that
the os did search for and find the login name.
Yes. Reading logs it seems login goes ok. But my client can't really
login and i don't know what i can check. Client asks me again for
password, but i'm sure it's the right one. Have you any ideas for
checking something???
Thanks in advance.
Paolo.
16 years, 11 months
[Fedora-directory-users] db_verify
by Ville Silventoinen
After I import about 1400 accounts to a new database (ebiRoot, People
subtree), I get lot of errors when I run verify-db.pl (slapd has been stopped):
Verify log files in db ... Good
Verify db/ebiRoot/uid.db4 ... Good
Verify db/ebiRoot/mail.db4 ...
DB ERROR: db_verify: Page 37: out-of-order key at entry 247
DB ERROR: db_verify: Page 37: out-of-order key at entry 503
...
Same error for ancestorid.db4, objectclass.db4, parentid.db4, cn.db4,
givenName.db4 and sn.db4.
I have run db2index and re-run verify-db.pl but I don't see any
difference. Here is what db2index says about ebiRoot:
[29/Mar/2007:12:04:26 +0100] upgrade DB - ebiRoot: Start upgradedb.
[29/Mar/2007:12:04:26 +0100] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database
[29/Mar/2007:12:04:26 +0100] - import ebiRoot: Index buffering enabled with bucket size 100
[29/Mar/2007:12:04:27 +0100] - import ebiRoot: Workers finished; cleaning up...
[29/Mar/2007:12:04:28 +0100] - import ebiRoot: Workers cleaned up.
[29/Mar/2007:12:04:28 +0100] - import ebiRoot: Cleaning up producer thread...
[29/Mar/2007:12:04:28 +0100] - import ebiRoot: Indexing complete. Post-processing...
[29/Mar/2007:12:04:28 +0100] - import ebiRoot: Flushing caches...
[29/Mar/2007:12:04:28 +0100] - import ebiRoot: Closing files...
[29/Mar/2007:12:04:29 +0100] - import ebiRoot: Import complete. Processed
1424 entries in 3 seconds. (474.67 entries/sec)
Does that WARNING "No other process is alloed to access the database" mean
something is wrong?
How can I locate those "out-of order keys" the db_verify lists? I tried
with dbscan but I don't think I'm giving the right entry id:
$ ./dbscan -K 247 -f db/ebiRoot/mail.db4
Can't set cursor to returned item: DB_NOTFOUND: No matching key/data pair found
Is there a way to find out which entries are causing the problem? Can
there be illegal characters in the entries?
If I import a considerably smaller set of entries (120), I get no errors.
I noticed there was a similar thread here but no conclusion:
http://www.mail-archive.com/fedora-directory-users@redhat.com/msg04461.html
Sorry for so many questions, I've spent couple of days trying to
solve the problem.
If I delete a database with the Console, it leaves behind couple of index files:
-rw------- 1 w3secure systems 16384 Mar 28 17:05 ancestorid.db4
-rw------- 1 w3secure systems 18 Mar 28 17:03 DBVERSION
-rw------- 1 w3secure systems 32768 Mar 28 17:05 id2entry.db4
These index files don't seem to shrink when new entries are imported.
dbscan still shows the deleted entries in id2entry.
I noticed a problem when I import a small set of entries, delete the
database, import large set of entries and if I query the entries, I get
the entries from the first set (they don't exist in the second set). I can
reproduce the problem. If I delete ancestorid.db4 and id2entry.db4
manually when I delete the database, I don't have this problem. Is there a
reason why those two files are not deleted? Or can this whole thing be
caused by corrupted data?
Ville
16 years, 11 months
[Fedora-directory-users] How can I check other user info in non-privileged mode
by Yu Joe
Dear all
I've just set up fedora directory server for centrailizing my system
accounts . I could log in the system by any of my ldap accounts, but
suddently found I cannot get other user info by "id" or "getent passwd"
command when I was in the non-privileged user mode. Does anyone know why?
Because I can do this in root-user or nis enviornment. Somebody helps,
please. Thanks a lot.
--
Joe Yu
One of the RHCEs in Taiwan.
16 years, 11 months
[Fedora-directory-users] SSH help
by Dennis Crissman
I am really struggling to get Fedora Directory Server working using
ADSync. I am confused on a lot of fronts, it would be fair to say I am a
newbie when it comes to SSH, CAs, and synchronizing anything against
Active Directory. So I am at a disadvantage to start with.
I have been using
http://directory.fedoraproject.org/wiki/Howto:WindowsSync for my
instruction base as well as
http://directory.fedoraproject.org/wiki/Howto:SSL for setting up FDS to
use SSL.
Here are my steps so far:
1) Install and setup FDS and create my directory server. So far so good.
2) Execute setupssl.sh from the Howto:SSL link above.
* As far as I can tell this script automates everything in "Basic
Steps", so correct me if I am wrong, but I shouldn't have to actually do
any of them after running the script?
3) Restart both my admin and directory servers.
After I have restarted my servers, it would seem to me that FDS would be
exclusively accessible over port 636. So I use an LDAP Browser to
verify, and it turns out that 389 is still available and the other
isn't. Why is this?
At this point I decide to move onto another step
(http://directory.fedoraproject.org/wiki/Howto:WindowsSync#Enabling_SSL_fo...)
in the instructions and setup ADSync on the Active Directory box.
Install goes fine, though I am obviously unable to get it to connect to
the FDS yet.
I am able to create the cert8.db, but then hit a road block again when I
try to execute "pk12util -d . -P slapd-<instance> -o servercert.p12 -n
Server-Cert", and yes I swap <instance> for my host name. I get this
exception: "pk12util: find user certs from nickname failed: security
library: bad database.". Any idea?
I know this is a lot, but I would appreciate any help I can get.
Thank you,
Dennis
--
The sender of this email subscribes to Perimeter eSecurity's email
anti-virus service. This email has been scanned for malicious code and is
believed to be virus free. For more information on email security please
visit: http://www.perimeterusa.com/email-defense-content.html
This communication is confidential, intended only for the named recipient(s)
above and may contain trade secrets or other information that is exempt from
disclosure under applicable law. Any use, dissemination, distribution or
copying of this communication by anyone other than the named recipient(s) is
strictly prohibited. If you have received this communication in error, please
delete the email and immediately notify our Command Center at 203-541-3444.
Thanks
16 years, 11 months
[Fedora-directory-users] reset admin password
by Deric Abel
Hello
I recently tried changing the admin password on the Management console,
and after doing so it's telling me the password is incorrect. How can I
reset the password?
Thanks,
Deric
16 years, 11 months
[Fedora-directory-users] Replication Subtree not Available?
by Glenn
I'm trying to create a replication agreement on a Fedora Directory server,
version 1.0.3. I want to select a subtree of the database for replication,
but there doesn't seem to be a way to do this. The help says I can select a
subtree by creating the agreement from the Replication folder instead of from
the database, but there is no option to create an agreement when I right-
click the Replication folder. Is the help wrong, or is this feature
available in some other version, or am I just missing something?
This feature is available when creating a Windows Sync agreement, and it is
very useful for testing. Thanks. -G.
16 years, 11 months
[Fedora-directory-users] More segfaults - getting urgent
by Philip Kime
Help ... my slapd servers are segfaulting regularly now. They are
certainly more heavily loaded than they used to be but not overly so.
Apr 4 03:40:01 ldap001 kernel: ns-slapd[16820]: segfault at
0000000000000008 rip 0000000000411b6f rsp 00000000406dc0c8 error 4
Mar 19 00:00:08 ldap001 kernel: ns-slapd[18926]: segfault at
0000000000000008 rip 0000000000411b6f rsp 00000000404110c8 error 4
Apr 10 16:00:11 ldap001 kernel: ns-slapd[23382]: segfault at
0000000000000008 rip 0000000000411b6f rsp 00000000404110c8 error 4
It's odd - they were rock-solid for months and suddenly they have
started to do this - any ideas? There is nothing in the error logs at
all at the time of the crashes and the access logs dont' show anything
out of the ordinary.
PK
--
Philip Kime
NOPS Systems Architect
310 401 0407
16 years, 11 months
[Fedora-directory-users] Re: Error viewing Encryption settings tab
by Philip Kime
Hmm - I restarted the Admin server and this error went away. Now there
is no problem with that tab. I do nightly restarts of slapd (to guard
against memory leaks, even though the NSS leak was fixed some time ago)
but I've never restarted the admin server. Perhaps I should restart both
...
PK
16 years, 11 months
[Fedora-directory-users] Non-indexed searches on objectclass?
by Philip Kime
When I look at the logconv output for some of my FDS servers, I see that
the common factor on all listed unindexed searches is using the
"objectclass" attribute. Is it worth indexing this?
PK
--
Philip Kime
NOPS Systems Architect
310 401 0407
16 years, 11 months
[Fedora-directory-users] ldap super users
by Rick Mattier
Hi
In my setup, I currently have three branches
ou=Engineering,dc=mydomain,dc=com, ou=Sales,dc=mydomain,dc=com,
ou=People,dc=mydomain,dc=com. I would like to know if there is a
primary group that I can create that houses administrators that can
access all off these ou's without being added to each ou.
Rick Mattier
Systems Administrator
W 617 674-6168
M 617 201-1774
E rmattier(a)endeca.com
Endeca
101 Main Street
Cambridge, Ma. 02142
www.endeca.com
find / analyze / understand
16 years, 11 months